US11075887B2 - Federating data inside of a trusted execution environment - Google Patents
Federating data inside of a trusted execution environment Download PDFInfo
- Publication number
- US11075887B2 US11075887B2 US15/407,492 US201715407492A US11075887B2 US 11075887 B2 US11075887 B2 US 11075887B2 US 201715407492 A US201715407492 A US 201715407492A US 11075887 B2 US11075887 B2 US 11075887B2
- Authority
- US
- United States
- Prior art keywords
- sensor device
- data
- subscriber
- fee
- device data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
Definitions
- the present techniques relate to federating data inside of a trusted execution environment (TEE).
- TEE trusted execution environment
- TEE technology provides system-wide hardware isolation for trusted software found increasingly in microprocessor design.
- TEE creates an isolated secure world which can be used to provide confidentiality and integrity to the system. It is used on billions of microprocessors to protect high-value code and data for diverse use cases including authentication, payment, content protection and enterprise.
- TEE hardware architecture provides a security framework that enables a device to counter many of the specific threats that it will experience. Instead of providing a fixed one-size-fits-all security solution, TEE technology provides the infrastructure foundations that allow a system on a chip (SoC) designer to choose from a range of components that can fulfil specific functions within the security environment.
- SoC system on a chip
- the primary security objective of the architecture is simple; to enable the construction of a programmable environment that allows the confidentiality and integrity of almost any asset to be protected from specific attacks.
- a platform with these characteristics can be used to build a wide-ranging set of security solutions which are not cost-effective with traditional methods.
- the security of the system is achieved by partitioning all of the SoC's hardware and software resources so that they exist in one of two worlds: a secure world for the security subsystem; and a non-secure world for everything else.
- Hardware logic present in the TEE enabled fabric ensures that no secure world resources can be accessed by the non-secure world components, enabling a strong security perimeter to be built between the two.
- a design that places sensitive resources in the secure world, and implements robust software running on the secure processor cores, can protect almost any asset against many of the possible attacks, including those which are normally difficult to secure, such as passwords entered using a keyboard or touch-screen.
- TEE hardware architecture has been implemented in a single physical processor core to safely and efficiently execute code from both the normal world and the secure world in a time-sliced fashion. This removes the need for a dedicated security processor core, which saves silicon area and power, and allows high performance security software to run alongside the normal world operating environment.
- Each physical processor core provides two virtual cores, one considered non-secure and the other secure, and a mechanism to robustly context switch between them.
- the security state is encoded on the system bus and this enables trivial integration of the virtual processors into the system security mechanism; the non-secure virtual processor can only access non-secure system resources, but the secure virtual processor can see all resources.
- TEE hardware architecture is a security-aware debug infrastructure which can enable control over access to secure world debug, without impairing debug visibility of the normal world.
- application processors that support the security extensions the transition between non-secure world and secure world is managed by software via a firmware call which runs at the highest level of firmware privilege, for example, exception level 3 .
- a TEE comprises: hardware based isolation technology; trusted boot code; and a small trusted operating system (OS).
- a TEE can be used to run multiple isolated trusted applications (apps) which may be provisioned over the air. Compared to other security technologies the TEE provides higher performance and access to larger amounts of memory.
- Typical usage cases for a TEE include: trusted boot, integrity management, authentication, payment, content protection, crypto and mobile device management. Secure world device drivers can be used to interface to peripherals and for example used to enable trusted user interfaces.
- a TEE can be used alongside other security technology such as secure elements, hypervisors and security sub-systems to provide multi-layered defence. The TEE is designed to protect against software attacks (for example malware) and common physical attacks (so called “shack” attacks).
- FIG. 1 is a deployment diagram for a federated gateway of a preferred embodiment
- FIG. 2 is a deployment diagram for the preferred embodiment
- FIG. 3 is a component diagram of the preferred embodiment
- FIG. 4 is a method diagram of the preferred embodiment
- FIG. 5 is a sequence diagram showing interaction sequences between a federated gateway and other actors for the example.
- FIG. 6 is a schematic usage case of the preferred embodiment.
- the deployment comprises: federated gateway 2 ; sensor 4 ; secure user interface 5 ; tenant servers 6 A and 6 B; trusted service manager 8 ; sensor owner provisioner 10 ; and subscription server 12 .
- Federated gateway 2 is a standalone data processing apparatus on a circuit board in a preferred embodiment. In other embodiments federated gateway 2 is a system on a chip either standalone or combined with other hardware such as a network router or gateway.
- Sensor 4 can be any type of device that produces data and can connect securely to the federated gateway 2 .
- sensor 4 is a logically trusted device and comprises a bridge 32 and a sensor transducer 34 .
- Sensor transducer 34 measures a physical thing such as: temperature, pressure, position, heart rate, or motion.
- Bridge 32 provides encryption and communication with the outside world including with: federated gateway 2 ; sensor owner provisioner 10 ; and sensor service server 12 . Communication can be wired or wireless using any other transport protocol. Dedicated dongles or adapters can be used as part of the bridge.
- Secure user interface 5 is directly connected to the trusted execution environment for communicating securely with the federated gateway user.
- a biometric interface is used to verify user input using fingerprint or other biometric information.
- a keypad and password or pin can also be used.
- the secure user interface 5 can only be accessed via the TEE.
- Tenant servers 6 A and 6 B each provide a service (typically for a user) that can receive data from sensor 4 via federated gateway 2 .
- Tenants can provide any network service that receives data from a remote sensor.
- Example tenants are: a health care provider that monitors data from a heart monitor; a doctor who wants to access the same data from the heart monitor; an exercise training company that wants to access the data from a set of scales and/or a security company that monitors a fire sensor.
- Trusted service manager (TSM) 8 stores and distributes, for each registered tenant server, an encryption mechanism for an entity to send secure data to that tenant. For instance, if the encryption mechanism is private public key encryption then TSM 8 will store and provide a public key to federated gateway 2 for sending secure data to that tenant. Encryption mechanisms can be any type of encryption and any type of public key infrastructure. Public key encryption is used as the preferred type of encryption.
- Sensor owner provisioner 10 is a server associated with the sensor that can provision a sensor with an encryption mechanism and authorizes a federated gateway to access the sensor using the encryption mechanism.
- the sensor owner provisioner provisions sensor 34 to store and use a symmetry key for encrypting the measured data. This symmetric key is stored in subscription server 12 along with a sensor identifier.
- Subscription server 12 stores a list of sensors 4 and federated gateways 2 that can be accessed by tenant servers along with associated sensor symmetric key used for encryption. In this example, only a single sensor and federated gateway would be listed.
- Federated gateway 2 provides execution environments running on a processor for securely managing sensor data and comprises: trusted execution environment (TEE) 20 and rich execution environment (REE) 22 .
- REE 22 has external connections whereas TEE 20 has a programming interface to REE 22 but no external interface.
- REE 22 comprises a number of apps: sensor owner app 28 ; federator app 30 ; and in this example two tenant apps 26 A and 26 B.
- FEE 20 comprises: trusted federator app 300 ; and trusted tenant app 16 A and 16 B.
- Trusted tenant app 16 A and 16 B run in processor memory silos 21 (represented by a thick black line around trusted tenant apps 16 A and 16 B) whereby they are isolated in memory from each other. This is in addition to TEE 20 running in processor memory isolated from any other non-TEE processor operations (represented by a thick black line around TEE 20 ).
- Trusted federator app 300 is described in more detail with respect to FIG. 3 but three main components shown here are: data ingestion store 306 for handling sensor data; subscription client manager 308 for handling subscriptions; and run-time method 400 for managing the operation of trusted federator app 300 . These components and other components are part of trusted federator app 300 in the preferred embodiment but other embodiments are envisaged whereby one or more of these components run as individual trusted apps in TEE 20 .
- Sensor owner app 28 communicates with sensors and allows owners and manufacturers to provision a sensor to push data to the data ingestion store 306 in the TEE 20 .
- Federator app 30 provides an interface to the outside world for the trusted federator app 300 such that federator app 30 and trusted federator app 300 are partner apps. Trusted federator app 300 can only receive communication through federator app 30 .
- Tenant apps 26 A and 26 B in REE 22 provide the interface between trusted servers ( 6 A and 6 B) on the network and trusted tenant apps ( 16 A and 16 B) in TEE 20 .
- Federated gateway 2 is operational with numerous other general purpose or special purpose computing system environments or configurations.
- Examples of well-known computing processing systems, environments, and/or configurations that may be suitable for use with federated gateway 2 include, but are not limited to, gateways (headless or otherwise), routers (border routers or otherwise), personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics (smart phones, smart watch, tablet), network PCs, minicomputer systems, mainframe computer systems, and distributed computing environments that include any of the above systems or devices.
- a distributed computer environment includes a cloud computing environment for example where a computer processing system is a third party service performed by one or more of a plurality computer processing systems.
- a distributed computer environment also includes an Internet of things computing environment, for example, where computer processing systems are distributed as a network of objects that can interact with a computing service.
- Federated gateway 2 may be described in the general context of computer system executable instructions, such as program modules, being executed by a computer processor.
- program modules may include: routines; programs; objects; components; logic; and data structures that perform tasks or implement abstract data types.
- Federated gateway 2 may be embodied in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network.
- program modules may be in both local and remote computer system storage media including memory storage devices.
- Federated gateway 2 is connected to a personal area network (PAN) 54 and a wide area network (WAN) 56 .
- PAN personal area network
- WAN wide area network
- Sensor 4 connects through personal network 54 to the federated gateway 2 .
- Secure user interface 5 connects directly to the federated gateway 2 or through personal network 54 .
- Tenant servers 6 A and 6 B connect to federated gateway 2 through WAN 56 .
- Federated gateway 2 comprises: central processing unit (CPU) 62 ; network adapter 64 ; secure device adapter 66 ; bus 68 and device memory 70 .
- CPU central processing unit
- network adapter 64 secure device adapter 66
- bus 68 and device memory 70 .
- CPU 62 loads machine instructions from device memory 70 and performs machine operations in response to the machine instructions.
- Such machine operations include: performing an operation on a value in a register (for example arithmetical or logical operations); moving a value from a register to a memory location directly and vice versa; and conditional or non-conditional branching.
- a typical CPU can perform many different machine operations.
- the machine instructions are written in a machine code language which is referred to as a low-level computer language.
- a computer program written in a high-level computer language (also known as source code) needs to be compiled to a machine code program (also known as object code) before it can be executed by the processor.
- a machine code program such as a virtual machine or an interpreter can interpret a high-level language in terms of machine operations.
- Network adapter 64 is for enabling communication between the federated gateway 2 and network devices.
- Secure device adapter 66 is for enabling secure communication between TEE 20 and sensor 4 . Secure device adapter 66 is also for enabling secure communication between TEE 20 and secure user interface 5 .
- Bus 68 couples the main system components together including memory 70 to CPU 62 .
- Bus 68 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures.
- Device memory 70 includes computer system readable media in the form of volatile memory 72 and non-volatile or persistent memory 74 .
- persistent memory 74 are read only memory (ROM) and erasable programmable read only memory (EPROM). Generally volatile memory is used because it is faster and generally non-volatile memory is used because it will hold the data for longer.
- Federated gateway 2 may further include other removable and/or non-removable, volatile and/or non-volatile computer system storage media.
- persistent memory 74 can be provided for reading from and writing to a non-removable, non-volatile magnetic media (not shown and typically a magnetic hard disk or solid-state drive).
- memory 70 includes a program product having modules that are configured to carry out the functions of embodiments of the invention.
- CPU 62 comprises: processing circuitry 80 ; trusted firmware 81 ; TEE 20 and REE 22 .
- Processing circuitry 80 comprises: fetch circuitry for fetching instructions; decode circuitry for decoding instructions; and execution circuitry for executing instructions (not shown).
- Data and program code stored in the FEE are accessible to processing circuitry 80 configured to operate on the FEE but such data and program code is inaccessible to the processing circuitry 80 when configured to operate in REE 22 .
- Trusted firmware 81 is an operating kernel program for running every other process and environment.
- TEE 20 is a secure execution environment comprises secure memory for program code, data, and processing stack. TEE 20 has less functionality than REE 22 and is only accessible from the REE 22 . TEE 20 is an isolated execution environment that runs in parallel with and providing security for the REE 22 , TEE 20 uses processing circuitry 80 and trusted firmware 81 to protect data. Trusted applications running in a TEE 20 have access to processing circuitry 80 and device memory 70 , while processing circuitry 80 isolates these from user apps running in REE 22 . Trusted firmware 81 protects trusted applications contained within from each other.
- REE 22 is the general execution environment that has more functionality than the TEE 20 .
- TEE 20 provides secure space for: trusted OS 82 ; comms 84 ; and trusted memory 86 .
- Trusted OS 82 is a secure operating system that only runs in TEE 20 .
- Comms 84 are the secure gateway to the world external to TEE 20 and normally via the REE 22 .
- Trusted memory 86 is for secure program code that executes only in the TEE 20 .
- REE 22 provides space for: hypervisor 88 ; rich OS 92 ; TOS API 94 ; and memory 96 .
- Hypervisor 88 allows more than one operating system to run at a time.
- Rich OS 92 is the operating system for REE 22 .
- TOS API 94 is the application programming interface for the trusted operating system and provides means for communicating with the TEE 20 .
- Memory 96 is for applications that run in the REE 22 .
- Modules configured to carry out the functions of the preferred embodiment comprises: federator gateway package 301 .
- the modules are loaded from the persistent memory 74 , where they are stored, into CPU 62 .
- Further program modules that support the preferred embodiment but are not shown include firmware, boot strap program, and support applications.
- federator gateway package 301 comprises: trusted federator app 300 ; federator app 30 ; trusted tenant app 16 A; tenant app 26 A; and sensor owner app 28 .
- Each component of federator gateway package 301 is loaded into the TEE 20 or REE 22 for executing the federator gateway 2 .
- Trusted federator app 300 comprises: message queue 302 ; authorization handler 304 ; data ingestion store 306 ; subscription client manager 308 ; decryption engine 310 ; encryption engine 312 ; validator 314 ; sensor interface 316 ; user interface controller 318 ; and run-time method 400 .
- Message queue 302 is for receiving messages from entities outside of TEE 20 .
- Authorization handler 304 is for monitoring message queue 302 and validating and tracking authorizations and deauthorizations. In the preferred embodiment, sensor data will not be transmitted to a subscriber unless that subscriber has a valid and current authorization.
- Data ingestion store 306 is for receiving, decrypting and storing sensor data.
- Subscription client manager 308 is for managing subscriber subscriptions and for storing an encryption mechanism for each subscriber.
- An encryption mechanism comprises a cryptographic algorithm and key.
- the preferred encryption mechanism is a public private key infrastructure such as PGP and public key. Other embodiments are envisaged that use different cryptographic algorithms.
- Decryption engine 310 is for decrypting the encrypted sensor data.
- Encryption engine 312 is for encrypting the sensor data for each subscriber.
- Validator 314 is for providing secure validation of sensor data and of requests to or from secure user interface 5 .
- Sensor interface 316 is for providing secure communication with sensor 4 .
- User interface controller 318 is for securely communicating with secure user interface 5 .
- Run-time method 400 is for controlling the operation of trusted federator app 400 is described in more detail below.
- a run-time method 400 comprises logical process steps 402 to 424 performed by federator gateway 2 in TEE 20 .
- Step 402 is for receiving, via message queue 302 , a sensor decryption mechanism for handling encrypted sensor data.
- a sensor authorization signal is sent separately but in other embodiments receipt of the sensor decryption mechanism can be used as authorization. This is stored in data ingestion store 306 .
- Step 404 is for receiving, via message queue 302 , a first subscriber encryption mechanism for transmitting encrypted sensor data to a first subscriber.
- a first subscriber authorization signal is sent separately but in other embodiments receipt of the first subscriber encryption mechanism can be treated as authorization. This is stored with subscription client manager 308 .
- Step 406 is an optional step in the preferred embodiment whereby the sensor encrypted data is requested from the sensor when the sensor authorization is received.
- sensor data may be requested by other entities without needing a request from the gateway or even not requested at all if the sensor is broadcasting data.
- Step 408 is for receiving, via message queue 302 , encrypted sensor data.
- Step 410 is for decrypting sensor encrypted sensor data using sensor decryption method and decryption engine 310 .
- Step 412 is an optional step for validating decrypted sensor data.
- One preferred validation method comprises a user authorizing a secure request for decrypting the sensor data by presenting a fingerprint or password to secure user interface 316 .
- Other non-user validation methods can be implemented through the trusted federator application.
- Step 414 is an optional step for requesting and confirming user authorization for subscriber encryption through the secure user interface 316 .
- One preferred confirmation method comprises a user confirming by presenting a fingerprint or password to secure user interface 316 .
- Step 416 is for encrypting sensor data using the first subscriber encryption mechanism (using encryption engine 312 ) and for transmitting the encrypted sensor data to the first subscriber (using subscription client manager 308 ) whereby the sensor data is secure outside of the trusted execution environment.
- Step 418 is for receiving a second subscriber encryption mechanism via message queue 302 for transmitting and encrypting sensor data for a second subscriber. This step is also responsible for receiving further subscriber encryption mechanisms for transmitting and encrypting sensor data for further subscribers. In the preferred embodiment authorization is sent separately.
- Step 420 is an optional step for stopping transmission of the encrypted sensor data to the first subscriber (optionally after receiving deauthorization for first subscriber) depending on how trusted federator app 300 is configured.
- One configuration is not to stop sending of encrypted sensor data to a first subscriber so that many subscribers can simultaneously receive the data (for example when many healthcare services wish to receive the sensor data).
- Another configuration is locked to send sensor data to one subscriber at time (for example when a healthcare service has exclusive access to the sensor data).
- Another configuration is to allow flexible authorization and deauthorization of subscribers.
- Step 422 is for encrypting sensor data using a second subscriber encryption mechanism (using encryption engine 312 ) and for transmitting encrypted sensor data (using client manager 308 ) to the second subscriber whereby the sensor data cannot be read by federated gateway 2 outside of TEE 20 .
- This step is also responsible for encrypting and transmitting sensor data for further subscribers.
- Step 424 is for monitoring for a further subscriber mechanism (and optional authorization) and on receipt returning to step 418 . This is the last step in run-time method 400 .
- a sensor owner for example the original manufacturer, a tenant and/or a network provider
- a tenant server 6 A selects the gateway and sensor coupling to create a subscription.
- the owner enters into relationship for supply and use of the gateway sensor coupling.
- the owner sends an owner certificate to the tenant server 6 A/ 6 B so that the tenant server can prove authentication of the relationship.
- the tenant server 6 A/ 6 B signs the certificate.
- the tenant server 6 A/ 6 B sends to REE 22 the signed certificate and tenant subscription table.
- the tenant subscription table contains: a tenant app; a corresponding tenant trusted app; and a sensor owner app. All these apps are necessary for the subscription.
- REE 22 loads the tenant app and the sensor owner app.
- REE 22 validates the tenant signed certificate and forwards it to the TEE 20 .
- TEE 20 loads the trusted tenant app.
- TEE 20 requests sensor data from the sensor 4 (not necessary if sensor is already broadcasting sensor data).
- step 520 encrypted data is received from the sensor.
- the encrypted data is decrypted in TEE 20 .
- the sensor data is validated by TEE 20 .
- step 526 optionally, encryption for the subscriber is confirmed by the user via the secure user interface.
- the sensor data is re-encrypted for the subscriber's tenant server.
- the encrypted sensor data is sent to tenant server and this is the end of the sequence diagram.
- schematic use case 1 for changing care manager is described comprising steps 600 . 1 to 612 . 1 .
- Step 600 . 1 John is employed by company C 1 , company C 1 uses healthcare X1 services. After seeing his doctor D 1 , John is diagnosed with a condition that is trackable using an electronic sensor that monitors and records his heart rate. Healthcare X1 services provide the monitoring and recommends buying a sensor S 1 .
- Step 602 . 1 John purchases sensor S 1 from a mobile phone retail store.
- Step 604 John's phone is to be the federated gateway and X1's health monitoring package 301 (comprising a federator apps 30 / 300 , X1 tenant apps 16 A/ 26 A and sensor owner app) is installed.
- X1's health monitoring package 301 sets up the phone whereby the apps are loaded into FEE 20 and REE 22 in the phone processor.
- Sensor app connects to sensor and federator.
- X1 tenant apps connect to federator.
- Monitoring commences and data is federated to trusted tenant app 16 A.
- Step 606 John's doctor reviews tracked data using a doctor's interface to X1's health monitoring trusted app data on the Internet.
- Step 608 . 1 John changes employer and the new employer uses X2 healthcare services. New healthcare tenant apps are needed. The federator gateway app needs reconfiguring for the new tenant apps.
- Step 610 . 1 the federator gateway is reconfiguration with X2 trusted tenant app and tenant app.
- access to the sensor is exclusive so that X1's healthcare app is switched off or deleted.
- Step 612 . 1 Doctor D 1 reviews the tracked data for condition from the newly configured X2 trusted tenant app and tenant app.
- usage cases are described which are developed from usage case 1 .
- principles are apparent: a user and user delegates own all the user data; the usage case examples can be implemented with small user intervention except for when consent requires a user response; primary consent is for patient sensor originated data; and secondary consent is for data in the cloud.
- Use case 2 is for the addition of a care provider is described using steps 602 . 2 to 612 . 2 (not shown).
- Steps 602 . 2 to 606 . 2 are the same as respective steps 602 . 1 to 606 . 1 .
- Step 608 . 2 a further healthcare service X3 is recommended (for example a weight loss program).
- Step 610 . 2 the federated gateway 2 is loaded and reconfigured with new healthcare X3 trusted tenant app/tenant app under the control of the sensor owner provisioner 10 .
- X3's trusted tenant app and tenant app are loaded and connected to federator gateway in addition to healthcare app X1.
- Step 612 . 2 Doctor D 1 reviews the tracked data for condition from using a doctor's interface to X1's health monitoring app data on the Internet.
- a weight loss coach requests access to a coach's interface on X3's health monitoring app data on the Internet. John confirms access through the secure user interface.
- Usage case 3 is a change in care profile and is described using steps 602 . 3 to 614 . 3 (not shown).
- Steps 602 . 3 to 606 . 3 are the same as respective steps 602 . 1 to 606 . 1 .
- Step 608 . 3 a further healthcare professional Doctor D 2 is called in by Doctor D 1 .
- Doctor D 2 makes a recommendation to: increase the frequency of tracking the heartrate; to start measuring and tracking blood sugar level using S 1 ; and to measure skin resistance using a new sensor S 2 .
- Step 610 . 3 a new sensor S 2 is provided to John.
- Sensor S 1 and S 2 are configured via federated gateway 2 under the control of the sensor owner provisioner 10 (in this case the phone company) to provide the new measurements.
- federated gateway 2 is deployed in a phone device with a user interface and is enabled to requested permission from the phone owner for reconfiguration of the sensors.
- federated gateway 2 is enabled to requested permission from the phone owner when a new access right request is made to access sensor data on the tenant server. In both cases John approves the access using the secure user interface.
- Step 612 . 3 Doctor 2 requests doctor access using a doctor interface to X1's health monitoring tenant server app. The request is sent through to the trusted tenant app for the user to approve. John approves the request on his phone using finger print authorization and the approval is sent back to the tenant server.
- Step 614 . 3 both Doctor D 1 and Doctor D 2 can review the tracked data from their respective interfaces to X1's health monitoring tenant server app accessible from the Internet.
- Usage case 4 is for a company payor to reward the employee (John) and is described using steps 602 . 4 to 614 . 4 .
- Steps 602 . 4 to 606 . 4 are the same as respective steps 602 . 1 to 606 . 1 .
- Step 608 . 4 employer C 1 wants to reward John for adherence to a healthy lifestyle and to do so requires an audit of the health record.
- Such an audit is a summary of the sensor data to show an overview of performance and is sensitive information that requires approval from John before release.
- Employer C 1 accesses the tenant server through an employer interface that allows a request for an audit.
- Step 610 . 4 the request is sent from the tenant server through to the trusted tenant app for approval by John.
- Step 612 . 4 John approves the request on his phone using finger print authorization and the approval is sent back to the tenant server.
- Step 614 . 4 Employer C 1 can review the audit from interfaces to X1's health monitoring tenant server app accessible from the Internet.
- the tenant server app can also accept reward information and notify John via the trusted tenant app.
- Usage case 5 is for a change in doctor and healthcare service provider. and is described using steps 602 . 5 to 612 . 5 .
- Steps 602 . 5 to 606 . 5 are the same as respective steps 602 . 1 to 606 . 1 .
- sensor owner provisioner 10 (the phone company) requests the federated gateway 2 to download a new set of tenant apps including the trusted tenant app for a new healthcare provider X4.
- the sensor owner provisioner 10 also requests the federated gateway 2 to connect sensor 5 data to the new X4 trusted tenant app. The requests need to be authorized by the user John.
- Step 610 . 5 the requests are sent to the trusted federator app for approval by employee John.
- Step 612 . 5 John approves the requests on his phone using finger print authorization.
- Step 614 . 5 Doctor D 3 requests doctor access using a doctor interface to X4's health monitoring tenant server app. The request is sent through to the trusted tenant app for the user to approve. John approves the request on his phone using finger print authorization and the approval is sent back to the tenant server.
- Step 616 . 5 Doctor D 3 can review the tracked data from his interfaces to X3's health monitoring tenant server app accessible from the Internet.
- Usage case 6 is for post-operative care comprising steps 602 . 6 to 612 . 6 .
- Step 602 . 6 John is given a sensor to wear in hospital.
- a network enabled sensor sends its data to the hospital electronic medical records (EMR) system through a federated gateway application and hospital trusted tenant application on John's phone.
- EMR electronic medical records
- Step 604 John is discharged.
- the hospital sends a request message to the trusted tenant application asking to continue to share the same data with hospital EMR over John's home network post-discharge.
- John approves the request on his phone using finger print authorization.
- Step 606 after 15 days, a new consent request is received for John's GP Doctor D 1 to access the data. John accepts through the secure user interface.
- Step 608 . 6 the data is accessed by the GP and the hospital with John's consent.
- the doctor or hospital can send a notification to John via the federated gateway 2 to verify he can come in for an urgent consultation. Such a verification would be made through secure user interface 5 .
- Step 610 . 6 after some time, both the GP and hospital notify John that they no longer access the data and request that he approves this through the secure user interface. The sensor data is still being measured and John can authorize a private company to monitor it for problems.
- Usage case 7 is for multiple users for one federated gateway. Such a usage case has a federated gateway connected to central network router accessible by multiple users.
- a secure user interface 5 on the federated gateway can authenticate each user.
- a more sophisticated example uses secure user interfaces on each user's personal device such that a fingerprint interface on a user's phone is securely connected to the trusted federator app 300 .
- Usage case 8 envisages a user buying off the shelf sensors or using pre-own sensors.
- the user is the provisioner and has to configure the sensor using a sensor owner provisioner.
- a data processing gateway comprising: data processing circuitry for performing data processing operations in response to program code; a first execution environment (FEE) for storing data and program code; and a second execution environment (SEE) for storing data and program code, wherein data and program code stored in the FEE when accessible to the data processing circuitry configured to operate in the FEE is inaccessible to the data processing circuitry when configured to operate in the SEE, the FEE comprising: a data ingestion store program code for receiving a device decryption mechanism into the FEE to decrypt encrypted device data, the data ingestion store further for receiving encrypted device data into the FEE and for decrypting the encrypted device data using the device decryption mechanism; and a subscriber client manager program code for receiving a first subscriber encryption mechanism into the FEE, and further for encrypting device data using the first subscriber encryption mechanism and further for transmitting encrypted device to a first subscriber externally of the data processing gateway whereby the device data is secure outside of the F
- a trusted execution environment is an example of a first execution environment (FEE) above.
- a rich execution environment is an example of a second execution environment (SEE) above.
- the subscriber client manager is further for receiving a second subscriber encryption mechanism, and further for encrypting the device data using the second subscriber encryption mechanism, and further for transmitting the second subscriber encrypted device data to the second subscriber externally of the data processing gateway whereby the device data is secure outside of the FEE.
- the device is a sensor making physical measurements but the embodiments are not restricted to sensors.
- a device comprises: a sensor making physical measurements and a data processing gateway according to a preferred embodiment, wherein the physical measurements are encrypted for device data and input to the data processing gateway.
- the sensor and federated gateway are part of the same device and can be on the same system on a chip.
- a network server comprises a first tenant server and a data processing gateway according to preferred embodiment 1 wherein the data processing gateway encrypts data for the first tenant server and further encrypts data for a second and more tenant servers than are not located in the network server.
- the FEE of the preferred embodiment comprises a secure user interface for requesting and receiving user authorization before encrypting or decrypting device data.
- a method of data processing in a first execution environment (FEE) in a data processing gateway comprising: data processing circuitry for performing the data processing in response to program code; the first execution environment (FEE) for storing data and the program code; and a second execution environment (SEE) for storing data and program code, wherein data and program code stored in the FEE when accessible to the data processing circuitry configured to operate in the FEE is inaccessible to the data processing circuitry when configured to operate in the SEE, the method comprising: receiving a device decryption mechanism into the FEE for decrypting encrypted device data; receiving a first subscriber encryption mechanism into the FEE for transmitting encrypted device data to a first subscriber; receiving encrypted device data into the FEE; decrypting encrypted device data using the device decryption mechanism; encrypting device data using first subscriber encryption mechanism; and transmitting first subscriber encrypted device data to the first subscriber whereby the device data is secure outside of the FEE.
- FEE first execution environment
- SEE second execution environment
- the method further comprises: receiving a second subscriber encryption mechanism for transmitting encrypted device data to a second subscriber; encrypting device data using second subscriber encryption mechanism; and transmitting second subscriber encrypted device data to the second subscriber whereby the device data is secure outside of the secure execution environment.
- the method further comprises receiving authorization from a user before encrypting or decrypting device data.
- the method further comprises requesting authorization from a user before encrypting or decrypting device data.
- the method further comprises validating decrypted device data prior to transmitting to subscribers.
- the method further comprises receiving a deauthorization signal for first subscriber and halting transmission of encrypted device data to the first subscriber.
- the method further comprises halting transmission of encrypted device data to the first subscriber on receipt of the second subscriber encryption mechanism.
- the method further comprises wherein receipt of a subscriber decryption mechanism is authorization to decrypt and transmit to the subscriber.
- the present techniques may be embodied as a system, method or computer program product. Accordingly, the present techniques may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware.
- the present techniques may take the form of a computer program product embodied in a computer readable medium having computer readable program code embodied thereon.
- the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
- a computer readable medium may be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
- Computer program code for carrying out operations of the present techniques may be written in any combination of one or more programming languages, including object oriented programming languages and conventional procedural programming languages.
- program code for carrying out operations of the present techniques may comprise source, object or executable code in a conventional programming language (interpreted or compiled) such as C, or assembly code, code for setting up or controlling an ASIC (Application Specific Integrated Circuit) or FPGA (Field Programmable Gate Array), or code for a hardware description language such as VerilogTM or VHDL (Very high speed integrated circuit Hardware Description Language).
- a conventional programming language interpreted or compiled
- code code for setting up or controlling an ASIC (Application Specific Integrated Circuit) or FPGA (Field Programmable Gate Array)
- code for a hardware description language such as VerilogTM or VHDL (Very high speed integrated circuit Hardware Description Language).
- the program code may execute entirely on the user's computer, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
- the remote computer may be connected to the user's computer through any type of network.
- Code components may be embodied as procedures, methods or the like, and may comprise sub-components which may take the form of instructions or sequences of instructions at any of the levels of abstraction, from the direct machine instructions of a native instruction set to high-level compiled or interpreted language constructs.
- a logical method may suitably be embodied in a logic apparatus comprising logic elements to perform the steps of the method, and that such logic elements may comprise components such as logic gates in, for example a programmable logic array or application-specific integrated circuit.
- Such a logic arrangement may further be embodied in enabling elements for temporarily or permanently establishing logic structures in such an array or circuit using, for example, a virtual hardware descriptor language, which may be stored and transmitted using fixed or transmittable carrier media.
- an embodiment of the present techniques may be realized in the form of a computer implemented method of deploying a service comprising steps of deploying computer program code operable to, when deployed into a computer infrastructure or network and executed thereon, cause said computer system or network to perform all the steps of the method.
- the preferred embodiment of the present techniques may be realized in the form of a data carrier having functional data thereon, said functional data comprising functional computer data structures to, when loaded into a computer system or network and operated upon thereby, enable said computer system to perform all the steps of the method.
Abstract
Description
Claims (14)
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/407,492 US11075887B2 (en) | 2016-10-24 | 2017-01-17 | Federating data inside of a trusted execution environment |
PCT/GB2017/052872 WO2018078314A1 (en) | 2016-10-24 | 2017-09-26 | Federating data inside of a trusted execution environment |
CN201780065942.XA CN109863497A (en) | 2016-10-24 | 2017-09-26 | Combine data in the inside of trust performing environment |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201662411791P | 2016-10-24 | 2016-10-24 | |
US15/407,492 US11075887B2 (en) | 2016-10-24 | 2017-01-17 | Federating data inside of a trusted execution environment |
Publications (2)
Publication Number | Publication Date |
---|---|
US20180115530A1 US20180115530A1 (en) | 2018-04-26 |
US11075887B2 true US11075887B2 (en) | 2021-07-27 |
Family
ID=61970531
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/407,492 Active 2037-08-18 US11075887B2 (en) | 2016-10-24 | 2017-01-17 | Federating data inside of a trusted execution environment |
Country Status (3)
Country | Link |
---|---|
US (1) | US11075887B2 (en) |
CN (1) | CN109863497A (en) |
WO (1) | WO2018078314A1 (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10922441B2 (en) * | 2018-05-04 | 2021-02-16 | Huawei Technologies Co., Ltd. | Device and method for data security with a trusted execution environment |
CN110011956B (en) * | 2018-12-12 | 2020-07-31 | 阿里巴巴集团控股有限公司 | Data processing method and device |
CN111400726B (en) * | 2019-01-03 | 2024-04-09 | 斑马智行网络(香港)有限公司 | Data processing method, device, equipment and machine-readable medium |
CN111552949B (en) * | 2020-04-26 | 2023-09-01 | 深圳市兴海物联科技有限公司 | Encryption method and device for Internet of things equipment and electronic equipment |
GB2613652A (en) * | 2021-12-13 | 2023-06-14 | Sonardyne Int Ltd | Subsea measurement apparatus, method of compressing measurement data and method of providing inter-compatibility between apparatus |
WO2024017823A1 (en) * | 2022-07-22 | 2024-01-25 | Stäubli Electrical Connectors Ag | Sensor module for a modular connector |
Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120253852A1 (en) * | 2011-04-01 | 2012-10-04 | Pourfallah Stacy S | Restricted-use account payment administration apparatuses, methods and systems |
US20130091209A1 (en) * | 2011-10-08 | 2013-04-11 | Broadcom Corporation | Ad hoc social networking |
WO2013072177A1 (en) | 2011-11-14 | 2013-05-23 | St-Ericsson Sa | A method for managing public and private data input at a device |
US8510844B2 (en) * | 2004-10-13 | 2013-08-13 | Panasonic Corporation | Authorized content verification method, content transmission/reception system, transmitter, and receiver |
US20130243189A1 (en) * | 2012-03-19 | 2013-09-19 | Nokia Corporation | Method and apparatus for providing information authentication from external sensors to secure environments |
US20140040979A1 (en) * | 2011-10-11 | 2014-02-06 | Citrix Systems, Inc. | Policy-Based Application Management |
US20140075496A1 (en) * | 2012-09-12 | 2014-03-13 | Gyan Prakash | Mobile platform with sensor data security |
US20140281531A1 (en) * | 2013-03-14 | 2014-09-18 | Vinay Phegade | Trusted data processing in the public cloud |
US20160164867A1 (en) * | 2014-12-03 | 2016-06-09 | Samsung Electronics Co., Ltd. | Nfc package for storing biometric information and electronic device |
US20160210477A1 (en) * | 2015-01-20 | 2016-07-21 | Gotrust Technology Inc. | System and method of rapid deployment of trusted execution environment application |
US20160275018A1 (en) * | 2015-03-18 | 2016-09-22 | Intel Corporation | Cache and data organization for memory protection |
US9491111B1 (en) * | 2014-09-03 | 2016-11-08 | Amazon Technologies, Inc. | Securing service control on third party hardware |
US20170277869A1 (en) * | 2016-03-25 | 2017-09-28 | Mstar Semiconductor, Inc. | Computing device and data processing method |
US20170337390A1 (en) * | 2016-05-18 | 2017-11-23 | Qualcomm Incorporated | Data protection at factory reset |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1996027155A2 (en) * | 1995-02-13 | 1996-09-06 | Electronic Publishing Resources, Inc. | Systems and methods for secure transaction management and electronic rights protection |
US20070101401A1 (en) * | 2005-10-27 | 2007-05-03 | Genty Denise M | Method and apparatus for super secure network authentication |
US8341427B2 (en) * | 2009-02-16 | 2012-12-25 | Microsoft Corporation | Trusted cloud computing and services framework |
US9405562B2 (en) * | 2012-10-18 | 2016-08-02 | Broadcom Corporation | Set top box application in a concurrent dual environment |
US20140331337A1 (en) * | 2013-05-02 | 2014-11-06 | International Business Machines Corporation | Secure isolation of tenant resources in a multi-tenant storage system using a gatekeeper |
US9553850B2 (en) * | 2014-06-30 | 2017-01-24 | International Business Machines Corporation | Multi-tenant secure separation of data in a cloud-based application |
-
2017
- 2017-01-17 US US15/407,492 patent/US11075887B2/en active Active
- 2017-09-26 WO PCT/GB2017/052872 patent/WO2018078314A1/en active Application Filing
- 2017-09-26 CN CN201780065942.XA patent/CN109863497A/en active Pending
Patent Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8510844B2 (en) * | 2004-10-13 | 2013-08-13 | Panasonic Corporation | Authorized content verification method, content transmission/reception system, transmitter, and receiver |
US20120253852A1 (en) * | 2011-04-01 | 2012-10-04 | Pourfallah Stacy S | Restricted-use account payment administration apparatuses, methods and systems |
US20130091209A1 (en) * | 2011-10-08 | 2013-04-11 | Broadcom Corporation | Ad hoc social networking |
US20140040979A1 (en) * | 2011-10-11 | 2014-02-06 | Citrix Systems, Inc. | Policy-Based Application Management |
WO2013072177A1 (en) | 2011-11-14 | 2013-05-23 | St-Ericsson Sa | A method for managing public and private data input at a device |
US20130243189A1 (en) * | 2012-03-19 | 2013-09-19 | Nokia Corporation | Method and apparatus for providing information authentication from external sensors to secure environments |
US20140075496A1 (en) * | 2012-09-12 | 2014-03-13 | Gyan Prakash | Mobile platform with sensor data security |
US20140281531A1 (en) * | 2013-03-14 | 2014-09-18 | Vinay Phegade | Trusted data processing in the public cloud |
US9491111B1 (en) * | 2014-09-03 | 2016-11-08 | Amazon Technologies, Inc. | Securing service control on third party hardware |
US20160164867A1 (en) * | 2014-12-03 | 2016-06-09 | Samsung Electronics Co., Ltd. | Nfc package for storing biometric information and electronic device |
US20160210477A1 (en) * | 2015-01-20 | 2016-07-21 | Gotrust Technology Inc. | System and method of rapid deployment of trusted execution environment application |
US20160275018A1 (en) * | 2015-03-18 | 2016-09-22 | Intel Corporation | Cache and data organization for memory protection |
US20170277869A1 (en) * | 2016-03-25 | 2017-09-28 | Mstar Semiconductor, Inc. | Computing device and data processing method |
US20170337390A1 (en) * | 2016-05-18 | 2017-11-23 | Qualcomm Incorporated | Data protection at factory reset |
Non-Patent Citations (1)
Title |
---|
International Search Report and Written Opinion of the International Searching Authority dated Nov. 20, 2017 in PCT/GB2017/052872, 14 pages. |
Also Published As
Publication number | Publication date |
---|---|
WO2018078314A1 (en) | 2018-05-03 |
CN109863497A (en) | 2019-06-07 |
US20180115530A1 (en) | 2018-04-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11075887B2 (en) | Federating data inside of a trusted execution environment | |
JP6898987B2 (en) | Logical repository service that uses encrypted configuration data | |
Vasudevan et al. | Trustworthy execution on mobile devices: What security properties can my mobile platform give me? | |
CN107533609B (en) | System, device and method for controlling multiple trusted execution environments in a system | |
CN107408183B (en) | Device attestation through a secure hardened management agent | |
CN104982005B (en) | Implement the computing device and method of the franchise cryptographic services in virtualized environment | |
Chen et al. | Blockchain-Enabled healthcare system for detection of diabetes | |
US8953807B2 (en) | Method and apparatus for remotely provisioning software-based security coprocessors | |
Garriss et al. | Trustworthy and personalized computing on public kiosks | |
KR101377359B1 (en) | Secure software licensing and provisioning using hardware based security engine | |
US10917243B2 (en) | Secure server and compute nodes | |
Arfaoui et al. | Trusted execution environments: A look under the hood | |
US10897359B2 (en) | Controlled storage device access | |
US20210141940A1 (en) | Method and system for enhancing the integrity of computing with shared data and algorithms | |
US20210374232A1 (en) | Data distribution using a trusted execution environment in an untrusted device | |
US11409880B2 (en) | Blackbox security for containers | |
US20230134324A1 (en) | Managing storage of secrets in memories of baseboard management controllers | |
Coppolino et al. | Exploiting new CPU extensions for secure exchange of eHealth data at the EU level | |
Scopelliti et al. | End-to-End Security for Distributed Event-Driven Enclave Applications on Heterogeneous TEEs | |
US11947659B2 (en) | Data distribution across multiple devices using a trusted execution environment in a mobile device | |
Park et al. | CAFE: A virtualization-based approach to protecting sensitive cloud application logic confidentiality | |
US20180288052A1 (en) | Trusted remote configuration and operation | |
Brasser et al. | Softer Smartcards: Usable Cryptographic Tokens with Secure Execution | |
KR20190128534A (en) | Method for combining trusted execution environments for functional extension and method for applying fido u2f for supporting business process | |
Yalew et al. | Light-SPD: A platform to prototype secure mobile applications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: ARM IP LIMITED, UNITED KINGDOM Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:RANJAN, KARTHIK;RAMAMURTHI, SHIV;REEL/FRAME:041379/0701 Effective date: 20161215 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |